CVE-2025-37089 – A command injection vulnerability in HPE StoreO... (How to Fix)

Q: What is the severity of CVE-2025-37089?

CVE-2025-37089 has a CVSS score of 9.8 (CRITICAL). A command injection vulnerability in HPE StoreOnce Software allows remote attackers to execute arbitrary commands on affected systems. This affects all HPE StoreOnce systems running vulnerable software versions, potentially compromising backup infrastructure and data.

📋 TL;DR

A command injection vulnerability in HPE StoreOnce Software allows remote attackers to execute arbitrary commands on affected systems. This affects all HPE StoreOnce systems running vulnerable software versions, potentially compromising backup infrastructure and data.

💻 Affected Systems

Products:

HPE StoreOnce Software

Versions: All versions prior to the patched version specified in HPE advisory

Operating Systems: HPE StoreOnce OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all HPE StoreOnce systems including virtual appliances and physical backup appliances.

📦 What is this software?

Storeonce System by Hpe

View all CVEs affecting Storeonce System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data exfiltration, ransomware deployment, or destruction of backup data, potentially affecting all systems backed up to the StoreOnce appliance.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to gain shell access, install malware, pivot to other systems, or manipulate backup data integrity.

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and proper access controls prevent external access to vulnerable interfaces.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical severity with network attack vector; internet-exposed StoreOnce appliances are immediately at risk.

🏢 Internal Only: HIGH - Even internally, this vulnerability allows lateral movement and compromise of critical backup infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-77 command injection vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check HPE advisory for specific patched versions

Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Restart Required: Yes

Instructions:

1. Review HPE advisory for specific patched versions. 2. Download appropriate firmware/software update from HPE Support Portal. 3. Apply update following HPE StoreOnce update procedures. 4. Reboot system as required.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate StoreOnce appliances from untrusted networks and restrict access to management interfaces

Access Control Lists

all

Implement strict firewall rules to limit access to StoreOnce management interfaces

🧯 If You Can't Patch

Immediately isolate StoreOnce appliances from internet and untrusted networks
Implement strict network segmentation and monitor all access to StoreOnce management interfaces

🔍 How to Verify

Check if Vulnerable:

Check StoreOnce software version against HPE advisory; versions prior to patched release are vulnerable

Check Version:

Check version via StoreOnce management interface or CLI (specific command varies by version)

Verify Fix Applied:

Verify software version matches or exceeds patched version specified in HPE advisory

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Unexpected process creation
Suspicious network connections from StoreOnce appliance

Network Indicators:

Unexpected outbound connections from StoreOnce appliance
Suspicious traffic to/from StoreOnce management ports

SIEM Query:

source="storeonce" AND (process="*sh" OR process="*cmd*" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2025-37089

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.36% exploit probability (57.4th percentile)

Published: June 2, 2025

Last Updated: July 2, 2025

🔗 References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37089, you might also want to check these: